- 07 Jul, 2011 3 commits
-
-
Johannes Berg authored
Unlike CCMP, the presence or absence of the QoS field doesn't change the encryption, only the TID is used. When no QoS field is present, zero is used as the TID value. This means that it is possible for an attacker to take a QoS packet with TID 0 and replay it as a non-QoS packet. Unfortunately, mac80211 uses different IVs for checking the validity of the packet's TKIP IV when it checks TID 0 and when it checks non-QoS packets. This means it is vulnerable to this replay attack. To fix this, use the same replay counter for TID 0 and non-QoS packets by overriding the rx->queue value to 0 if it is 16 (non-QoS). This is a minimal fix for now. I caused this issue in commit 1411f9b5 Author: Johannes Berg <johannes@sipsolutions.net> Date: Thu Jul 10 10:11:02 2008 +0200 mac80211: fix RX sequence number check while fixing a sequence number issue (there, a separate counter needs to be used). Cc: stable@kernel.org Signed-off-by:
Johannes Berg <johannes.berg@intel.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com>
-
Luciano Coelho authored
We were not allocating memory for the IEs passed in the scheduled_scan request and this was causing memory corruption (buffer overflow). Signed-off-by:
Luciano Coelho <coelho@ti.com> Signed-off-by:
-
Rafał Miłecki authored
Our workarounds seem to be clientmode PCI specific. Using SPROM workaround on SoC resulted in Oops: Data bus error, epc == 8017ed58, ra == 80225838 Oops[#1]: Cpu 0 $ 0 : 00000000 10008000 b8000000 00000001 $ 4 : 80293b5c 00000caa ffffffff 00000000 $ 8 : 0000000a 00000003 00000001 696d6d20 $12 : ffffffff 00000000 00000000 ffffffff $16 : 802d0140 b8004800 802c0000 00000000 $20 : 00000000 802c0000 00000000 802d04d4 $24 : 00000018 80151a00 $28 : 81816000 81817df8 8029bda0 80225838 Hi : 00000000 Lo : 00000000 epc : 8017ed58 ssb_ssb_read16+0x48/0x60 Not tainted ra : 80225838 ssb_pcicore_init+0x54/0x3b4 Reported-by:
Hauke Mehrtens <hauke@hauke-m.de> Signed-off-by:
Rafał Miłecki <zajec5@gmail.com> Tested-by:
-
- 05 Jul, 2011 7 commits
-
-
Yoann DI-RUZZA authored
Signed-off-by:
Yoann DI-RUZZA <y.diruzza@lim.eu> Signed-off-by:
Larry Finger <Larry.Finger@lwfinger.net> Cc: Stable <stable@kernel.org> Signed-off-by:
-
Rajkumar Manoharan authored
While sending aggregated frames in AES, the AR5416 chips required additional padding b/w subframes. This workaround is not needed for edma (AR9003 family) chips. With this patch ~4Mbps thoughput improvement was observed in clear environment. Cc: stable@kernel.org Signed-off-by:
Rajkumar Manoharan <rmanohar@qca.qualcomm.com> Signed-off-by:
-
Christian Lamparter authored
Cc: stable@kernel.org Reported-by: Mark Davis Signed-off-by:
Christian Lamparter <chunkeey@googlemail.com> Signed-off-by:
-
Luciano Coelho authored
There was a deadlock when rfkill-blocking a wireless interface, because we were locking the rdev mutex on NETDEV_GOING_DOWN to stop sched_scans that were eventually running. The rfkill block code was already holding a mutex under rdev: kernel: ======================================================= kernel: [ INFO: possible circular locking dependency detected ] kernel: 3.0.0-rc1-00049-g1fa7b6a2 #57 kernel: ------------------------------------------------------- kernel: kworker/0:1/4525 is trying to acquire lock: kernel: (&rdev->mtx){+.+.+.}, at: [<ffffffff8164c831>] cfg80211_netdev_notifier_call+0x131/0x5b0 kernel: kernel: but task is already holding lock: kernel: (&rdev->devlist_mtx){+.+.+.}, at: [<ffffffff8164dcef>] cfg80211_rfkill_set_block+0x4f/0xa0 kernel: kernel: which lock already depends on the new lock. To fix this, add a new mutex specifically for sched_scan, to protect the sched_scan_req element in the rdev struct, instead of using the global rdev mutex. Reported-by:
Duane Griffin <duaneg@dghda.com> Signed-off-by:
-
Pavel Roskin authored
Signed-off-by:
Pavel Roskin <proski@gnu.org> Cc: <stable@kernel.org> Signed-off-by:
-
Pavel Roskin authored
Signed-off-by:
-
John W. Linville authored
-
- 30 Jun, 2011 3 commits
-
-
Tomas Targownik authored
If the remote device is not present, the connections attemp fails and the struct hci_conn was not freed Signed-off-by:
Tomas Targownik <ttargownik@geicp.com> Signed-off-by:
Gustavo F. Padovan <padovan@profusion.mobi>
-
Gustavo F. Padovan authored
PTS test A2DP/SRC/SRC_SET/TC_SRC_SET_BV_02_I revealed that ( probably after the df3c3931 commit ) the l2cap connection could not be established in case when the "Auth Complete" HCI event does not arive before the initiator send "Configuration request", in which case l2cap replies with "Command rejected" since the channel is still in BT_CONNECT2 state. Based on patch from: Ilia Kolomisnky <iliak@ti.com> Signed-off-by:
-
Peter Hurley authored
Partial revert of commit aabf6f89. When the hidp session thread was converted from kernel_thread to kthread, the atomic/wakeups were replaced with kthread_stop. kthread_stop has blocking semantics which are inappropriate for the hidp session kthread. In addition, the kthread signals itself to terminate in hidp_process_hid_control() - it cannot do this with kthread_stop(). Lastly, a wakeup can be lost if the wakeup happens between checking for the loop exit condition and setting the current state to TASK_INTERRUPTIBLE. (Without appropriate synchronization mechanisms, the task state should not be changed between the condition test and the yield - via schedule() - as this creates a race between the wakeup and resetting the state back to interruptible.) Signed-off-by:
Peter Hurley <peter@hurleysoftware.com> Signed-off-by:
-
- 29 Jun, 2011 2 commits
-
-
Eugene A. Shatokhin authored
We would free the proper number of curves, but in the wrong slots, due to a missing level of indirection through the pdgain_idx table. It's simpler just to try to free all four slots, so do that. Cc: stable@kernel.org Signed-off-by:
Bob Copeland <me@bobcopeland.com> Signed-off-by:
-
Rajkumar Manoharan authored
When no interface has been brought up, the chip's power state continued as AWAKE. So during resume, the chip never been powered up. Cc: stable@kernel.org Signed-off-by:
-
- 28 Jun, 2011 2 commits
-
-
Dan Rosenberg authored
A remote user can provide a small value for the command size field in the command header of an l2cap configuration request, resulting in an integer underflow when subtracting the size of the configuration request header. This results in copying a very large amount of data via memcpy() and destroying the kernel heap. Check for underflow. Signed-off-by:
Dan Rosenberg <drosenberg@vsecurity.com> Cc: stable <stable@kernel.org> Signed-off-by:
-
John W. Linville authored
"iwlagn: map command buffers BIDI" uses the DMA_* enumerations for DMA directions, even though the pci_* DMA API is still in use. That patch was undoubtedly developed on top of "iwlagn: don't use the PCI wrappers for DMA operation", which is due in the next release. Signed-off-by:
-
- 27 Jun, 2011 5 commits
-
-
Arik Nemtsov authored
Sometimes when reporting a MIC failure rx->key may be unset. This code path is hit when receiving a packet meant for a multicast address, and decryption is performed in HW. Fortunately, the failing key_idx is not used for anything up to (and including) usermode, so we allow ourselves to drop it on the way up when a key cannot be retrieved. Signed-off-by:
Arik Nemtsov <arik@wizery.com> Cc: stable@kernel.org Signed-off-by:
-
Evgeni Golov authored
Currently (3.0-rc2), modinfo iwlagn shows: firmware: iwlwifi-5150-IWL5150_UCODE_API_MAX.ucode firmware: iwlwifi-5000-IWL5000_UCODE_API_MAX.ucode firmware: iwlwifi-6000g2b-IWL6000G2_UCODE_API_MAX.ucode firmware: iwlwifi-6000g2a-IWL6000G2_UCODE_API_MAX.ucode firmware: iwlwifi-6050-IWL6050_UCODE_API_MAX.ucode firmware: iwlwifi-6000-IWL6000_UCODE_API_MAX.ucode firmware: iwlwifi-100-IWL100_UCODE_API_MAX.ucode firmware: iwlwifi-1000-IWL1000_UCODE_API_MAX.ucode firmware: iwlwifi-105-IWL105_UCODE_API_MAX.ucode firmware: iwlwifi-2030-IWL2030_UCODE_API_MAX.ucode firmware: iwlwifi-2000-IWL2000_UCODE_API_MAX.ucode which is obviously wrong, the user should not see the *_UCODE_API_MAX macros but the actual ucode API versions here. The problem are the #define *_MODULE_FIRMWARE(api) *_FW_PRE #api ".ucode" which do not expand api correctly (because this is a macro itself). Fixed by using __stringify() from linux/stringify.h. Further information about macro stringification can be found here: http://gcc.gnu.org/onlinedocs/cpp/Stringification.htmlSigned-off-by:Evgeni Golov <sargentd@die-welt.net> Signed-off-by:
Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by:
-
-
Johannes Berg authored
Evidently, the device sometimes wants to write back to command buffers, even if I see no reason why it should. Allow it to do that. Tested-by:
Andy Lutomirski <luto@mit.edu> Tested-by:
Kyle McMartin <kyle@redhat.com> Signed-off-by:
-
Johannes Berg authored
When we stop the device while a command is in flight that uses multiple TBs, we can leak the DMA buffers for the second and higher TBs. Fix this by using iwlagn_unmap_tfd() as we do when we normally recover the entry. Signed-off-by:
-
- 24 Jun, 2011 2 commits
-
-
Johannes Berg authored
When an interface changes type to a P2P type, iwlagn will erroneously set vif->type to the P2P type and not the reduced/split type. Fix this by keeping "newtype" in another variable for the assignment to vif->type. Cc: stable@kernel.org [2.6.38+] Signed-off-by:
-
Emmanuel Grumbach authored
Since we don't have HUGE command any more, there is no point in adding 1 to the num of slots in the command queue. Doing so is buggy and might corrupt memory. Bug introduced by 4ce7cc2b iwlagn: support multiple TBs per command Cc: Johannes Berg <johannes.berg@intel.com> Signed-off-by:
Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by:
-
- 22 Jun, 2011 1 commit
-
-
Larry Finger authored
In commit 3ac5e26a entitled "rtlwifi: rtl8192c-common: Change common firmware routines for addition of rtl8192se and rtl8192de", the firmware loading code was moved. Unfortunately, some necessary code was dropped for rtl8192cu. The dmesg output shows the following: rtl8192c: Loading firmware file rtlwifi/rtl8192cufw.bin rtl8192c_common:_rtl92c_fw_free_to_go():<0-0> Polling FW ready fail!! REG_MCUFWDL:0x00000006 . rtl8192c_common:rtl92c_download_fw():<0-0> Firmware is not ready to run! In addition, the interface will authenticate and associate, but cannot transfer data. This is reported as Kernel Bug #38012. Signed-off-by:
-
- 20 Jun, 2011 2 commits
-
-
Larry Finger authored
There are two devices with PCI ID 0x10ec:0x8192, namely RTL8192E and RTL8192SE. The method of distinguishing them is by the revision ID at offset 0x8 of the PCI configuration space. If the value is 0x10, then the device uses rtl8192se for a driver. Signed-off-by:
-
John W. Linville authored
-
- 15 Jun, 2011 3 commits
-
-
Ilia Kolomisnky authored
In hci_conn_security ( which is used during L2CAP connection establishment ) test for HCI_CONN_ENCRYPT_PEND state also sets this state, which is bogus and leads to connection time-out on L2CAP sockets in certain situations (especially when using non-ssp devices ) Signed-off-by:
Ilia Kolomisnky <iliak@ti.com> Signed-off-by:
-
Nishant Sarmukadam authored
Post commit e4eefec7, the stack is not generating the CCMP header for us anymore. This broke the CCMP functionality since firmware was not doing this either. Set a flag to tell the firmware to generate the CCMP header Signed-off-by:
Nishant Sarmukadam <nishants@marvell.com> Signed-off-by:
-
Yogesh Ashok Powar authored
Following OOPS was seen when booting with card inserted BUG: unable to handle kernel NULL pointer dereference at 0000004c IP: [<f8b7718c>] cfg80211_get_drvinfo+0x21/0x115 [cfg80211] *pde = 00000000 Oops: 0000 [#1] SMP Modules linked in: iwl3945 iwl_legacy mwifiex_sdio mac80211 11 sdhci_pci sdhci pl2303 'ethtool' on the mwifiex device returned this OOPS as wiphy_dev() returned NULL. Adding missing set_wiphy_dev() call to fix the problem. Signed-off-by:
Yogesh Ashok Powar <yogeshp@marvell.com> Signed-off-by:
-
- 14 Jun, 2011 1 commit
-
-
Johan Hedberg authored
When authentication completes we shouldn't blindly accept any pending L2CAP connect requests. If the socket has the defer_setup feature enabled it should still wait for user space acceptance of the connect request. The issue only happens for non-SSP connections since with SSP the L2CAP Connect request may not be sent for non-SDP PSMs before authentication has completed successfully. Signed-off-by:
Johan Hedberg <johan.hedberg@intel.com> Signed-off-by:
-
- 13 Jun, 2011 1 commit
-
-
Luiz Augusto von Dentz authored
With older userspace versions (using hciops) it might not have the key type to check if the key has sufficient security for any security level so it is necessary to check the return of hci_conn_auth to make sure the connection is authenticated Signed-off-by:
Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Acked-by:
-
- 10 Jun, 2011 4 commits
-
-
John W. Linville authored
-
Ville Tervo authored
Some old hci controllers do not accept any mask so leave the default mask on for these devices. < HCI Command: Set Event Mask (0x03|0x0001) plen 8 Mask: 0xfffffbff00000000 > HCI Event: Command Complete (0x0e) plen 4 Set Event Mask (0x03|0x0001) ncmd 1 status 0x12 Error: Invalid HCI Command Parameters Signed-off-by:Ville Tervo <ville.tervo@nokia.com> Tested-by:
Corey Boyle <corey@kansanian.com> Tested-by:
Ed Tomlinson <edt@aei.ca> Signed-off-by:
-
David Miller authored
Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Luiz Augusto von Dentz authored
shutdown should wait for SCO link to be properly disconnected before detroying the socket, otherwise an application using the socket may assume link is properly disconnected before it really happens which can be a problem when e.g synchronizing profile switch. Signed-off-by:
Luiz Augusto von Dentz <luiz.dentz-von@nokia.com> Signed-off-by:
-
- 09 Jun, 2011 1 commit
-
-
Filip Palian authored
Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding byte each. This byte in "cinfo" is copied to userspace uninitialized. Signed-off-by:
Filip Palian <filip.palian@pjwstk.edu.pl> Acked-by:
Marcel Holtmann <marcel@holtmann.org> Signed-off-by:
-
- 08 Jun, 2011 3 commits
-
-
Stanislaw Gruszka authored
We use priv->mutex to avoid race conditions between chswitch_done() and mac_channel_switch(), when marking channel switch in progress. But chswitch_done() can be called in atomic context from rx_csa() or with mutex already taken from commit_rxon(). To fix remove mutex from chswitch_done() and use atomic bitops for marking channel switch pending. Cc: stable@kernel.org # 2.6.39+ Signed-off-by:
Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by:
-
Johannes Berg authored
Ignacy reports that sometimes after leaving an IBSS joining a new one didn't work because there still were stations on the list. He fixed it by flushing stations when attempting to join a new IBSS, but this shouldn't be happening in the first case. When I looked into it I saw a race condition in teardown that could cause stations to be added after flush, and thus cause this situation. Ignacy confirms that after applying my patch he hasn't seen this happen again. Reported-by:
Ignacy Gawedzki <i@lri.fr> Debugged-by:
-
Wey-Yi Guy authored
During channge channel, tx power will not send to uCode, the tx power command should send after scan complete. but should also can send after RXON command. Stable fix identified by Stanislaw Gruszka <sgruszka@redhat.com>. Signed-off-by:
-
